WWW_9hub_Net Posted December 30, 2010 Share Posted December 30, 2010 Hi, I have 3 applications running on wampserver hosted on our intranet. I would like to block the access of applications for a certain ip range. So I edited .htaccess files for each application as below. But the application is not blocked. order deny,allow allow from 10.212.4. deny from all After checking the logs I found that the ip address the client returning was different. Since all our machines use proxy settings by default. Anyone could help me how to over come this ? Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 30, 2010 Share Posted December 30, 2010 see if this helps order deny,allow deny from 10.212.4.0 - 10.212.4.255 allow from 10.212.4 deny from all actually you should put the address of exactly what want to allow for the 10.212.4 Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted December 30, 2010 Author Share Posted December 30, 2010 It doesn't work as I said the client's real local ip address is not captured because of proxy settings. Quote Link to comment Share on other sites More sharing options...
trq Posted December 30, 2010 Share Posted December 30, 2010 Obviously you need to use ranges of ip addresses that are valid then. Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted December 30, 2010 Author Share Posted December 30, 2010 I have been searching regarding this and found using "x-forwarded-for" may work. So I came up with this RewriteEngine On RewriteCond %{HTTP:X-Forwarded-For} ^10\.212\.4\.$ [OR] RewriteCond %{HTTP:X-Forwarded-For} ^10\.212\.5\.$ RewriteRule .* - [F] order allow,deny allow from 10.212.4. allow from 10.212.5 deny from all However I get 403 error even accessing from allowed ips Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 30, 2010 Share Posted December 30, 2010 A) It's HTTP:X_FORWARDED_FOR (yes it matters) B) Does your proxy server set the X_FORWARDED_FOR header so that doing this will even work? What HTTP headers does your proxy set? C) If you provided information about which ip address/range should be permitted and which should be blocked, someone can probably help you. D) Is there some reason you aren't using a real login/authentication system to prevent unauthorized access? Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted December 30, 2010 Author Share Posted December 30, 2010 Thanks for your reply. May I know how can I check http headers set by our proxy ? I would like to just allow access only from ip address in the range 10.212.4.1 to 10.212.4.60 and 10.212.5.1 to 10.212.5.60 There is no particular reason. It was users request. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 30, 2010 Share Posted December 30, 2010 The simplest way of seeing what information is in a http request would be to make a .php script with a phpinfo(); statement in it and browse to the URL of the file. The PHP Variables section (near the end) will list all the information that was contained in the request. For the ip address ranges you listed in your last post above, are those the IP addresses the destination server sees from the proxy server or are those the client IP addresses on the internal network? You have got to tell us exactly what information you are dealing with in order to get a solution that has anything to do with your problem. You have made statements, such as 'I found that the ip address the client returning was different', but you haven't supplied that information to us to help show what problem you are having. Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted December 31, 2010 Author Share Posted December 31, 2010 Firstly I wanna apologize for not providing necessary info. I'm a total newbie to these things. You are right seems X_FORWARDED_FOR is not available. How about using REMOTE_ADDR ? But the Remote_Addr below shown is for my server and its actually showing the proxy returned Ip address. However when I test from different machine the Remote_Addr is showing correct IP. Please find my HTTP Headers Information below. I have made the request from my server (10.212.4.53) HTTP Request GET /Hello/ HTTP/1.1 Connection keep-alive Accept image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language en-us User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Accept-Encoding gzip, deflate Cookie Host 10.212.4.53:8080 X-IMForwards 20 Via 1.1 abproxy01.cde.com.fg:8080 (IronPort-WSA/6.3.3-015) HTTP Response Headers X-Powered-By PHP/5.3.3 I have also added some more info which may be relevant HTTP_CONNECTION keep-alive HTTP_ACCEPT image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */* HTTP_ACCEPT_LANGUAGE en-us HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727) HTTP_ACCEPT_ENCODING gzip, deflate HTTP_COOKIE HTTP_HOST 10.212.4.53:8080 HTTP_X_IMFORWARDS 20 HTTP_VIA 1.1 abproxy01.cde.com.fg:8080 (IronPort-WSA/6.3.3-015) SERVER_SIGNATURE no value SERVER_SOFTWARE Apache/2.2.17 (Win32) PHP/5.3.3 SERVER_NAME 10.212.4.53 SERVER_ADDR 10.212.4.53 SERVER_PORT 8080 REMOTE_ADDR 10.168.2.174 The Ipadress I mentioned are the client ip address the ip address sent by proxy server are different and in the range 10.168.2.174 Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 31, 2010 Share Posted December 31, 2010 The REMOTE_ADDR that the target/destination server sees (the server where the applications are at that you want to allow/deny requests to) when requests are made from the actual client computers, is the only thing that matters. So far, the only relevant information you have posted appears to be - "when I test from different machine the Remote_Addr is showing correct IP." Was this one of the client computers you want to allow access or deny access (you didn't state either way) and what was the IP address that was correct? (Correct to you doesn't mean anything to us unless you actually tell us what you saw in front of you.) Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted December 31, 2010 Author Share Posted December 31, 2010 When the requests are made from client machines the Remote_addr is showing their origial IP address. ex: 10.212.4.57 ex: 10.212.5.63 These are ip addresses based on which I wanna allow/deny access. However when I made requests from two servers (ip addresses 10.212.4.53 and 10.212.5.55) to one server 10.212.4.53 the remote_addr is showing proxy Ip address which are REMOTE_ADDR 10.168.2.174 REMOTE_ADDR 10.168.2.177 why remote_addr is not showing their original ips when requests are made from them? Both of them are servers they wampserver installed and few applications. This is the common thing I can think of . I came up with this , i didn't get a chance to test. what do you think ? RewriteEngine On RewriteCond %{REMOTE_ADDR} !^10\.212\.4\. [OR] RewriteCond %{REMOTE_ADDR} !^10\.212\.5\. RewriteRule .* - [F] order allow,deny allow from 10.212.4. allow from 10.212.5. deny from all Quote Link to comment Share on other sites More sharing options...
WWW_9hub_Net Posted January 3, 2011 Author Share Posted January 3, 2011 Following settings are working partially for me ErrorDocument 403 /403.php RewriteEngine On RewriteCond %{REMOTE_ADDR} !^10\.212\.5\.57 RewriteCond %{REMOTE_ADDR} !^10\.168\.2\.174 RewriteCond %{REMOTE_ADDR} !^10\.168\.2\.177 RewriteRule .* - [F] The 10\.168\.2\.177 and 10\.168\.2\.174 are the two servers. And these IP keep changing. I don't have any problem with the client machines. Any idea how to handle this ? I still can't figure out why only the servers are not showing correct Remote_addr when for the clients its correct. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.